Human Factors in ISMS: Goal Driven Risk Management

The first article in this series provided an introduction to our research analyzing human factors and their influence on an effective information security management system. This installment will explore some of the background knowledge on the subject, including Force Field Analysis (FFA) and the GOAL-Driven Risk Management Model.

Force Filed Analysis (FFA)

Force field analysis (FFA) has been widely used for management changes in organizations (McMahon, 2010). This technique was developed and introduced by Kurt Lewin (1947). Lewin’s analysis model assesses the impact of all elements and forces, which influence change. These factors can be categorized into two parts, driving forces and restraining forces as presented in figure 1.

Figure 1: Force Field Analysis

This figure provides an overview of FFA in which driving forces verses retraining forces for fulfillment of the effectiveness of ISMS goal.

Driving forces are all forces that coerce for and elevate change. Senior management’s support and mandate is an evident example of driving forces (Marilynn and Bozak 2003).

In contrast, the restraining forces are forces that functioning to hold back the driving forces and prevent a change from happening by creating obstacles and risks. For example, concerns over individual errors could be an obstacle in change goal ISMS strategy.

Strengthening driving forces whilst the elimination of restraining forces, ensures succession of ISMS goals, which is preventing risks by providing cost effective control measures. The human factors concerning FFA are a very subjective matter that requires a measurement in order to be quantified and visualized.

For this purpose, each factor can be assigned with a numerical impact scale. This quantification resulted from interviews conducted in our previous study in two financial organizations which IS incidents occurred.

Force Field Analysis (FFA) and ISMS

It has been widely noted that human factors are subjective matters and require methods to be quantified (Alavi, et al 2012). Using force field analysis (FFA) enables the quantification of human factors in order to assist senior management to make decisions on the allocation of organizational resources for achieving ISMS goals.

The identification of driving forces, which promote IS goals and objectives of organizations will follow with the identification of restraining forces. Every single force will be allocated a numerical scale based on responses that received from people who interviewed in organizations in our last study.

This numerical scale measures the impact factor of each force. Change in the direction of ISMS will be defined by elimination of restraining forces and capitalization on driving forces.

This figure defines a status of the both forces and the direction which organizations must move to achieve an effective ISMS. Modelling this relationship based on force field analysis requires firstly, to understand and to define the current state of ISMS (Marilynn and Bozak, 2003).

The current situation prevents positive changes (obstacles) to stop ISMS moves towards an ideal situation (goals) in order to keep the status quo. Obstacles promote risks and goals boost the integrity of ISMS.

Goal Driven Risk Management Model

Figure 2. Overview of goal-driven risk management model levels

Goal-driven risk management model effectively address the risks that obstruct the successful project outcomes (Islam, 2011; Islam et al., 2010). The approach explicitly models the relations between the goals with the risk factors that obstruct these goals. Risks are then assessed and suitable control actions are selected to mitigate the risks so that the project can attain its goals.

Goals are the objectives, expectations and constraints of a specific system context and its surrounding environment as prescriptive statements of intents whose satisfaction contributes to the overall project success. The risks are obstacles that have consequences raise the chance of single or multiple undesirable circumstances that obstruct the goals and certainly reduce the likelihood of the project success.

The reason for choosing goal-modelling language is that goals and risks are complementary entities of a software project. A risk is usually defined as negation to a single or multiple goals or a loss of attainment of some corresponding objectives. Risks always shadow the goals and certain goals may be risky.

The model supports different levels of abstraction from goal to obstacle and finally to the treatment, as shown in Figure 2. On the top, there are the goals, i.e., objectives, expectations and constraints of the development components.

In the middle are the risk factors that directly or indirectly obstruct the goal to fulfill and incur problems within the system context. At the bottom part, there are the control actions that obstruct the risks and their consequences and contribute to attain the goals.

The final article in this series will explore concepts for modelling human factors in information security management systems – stay tuned!

About the Author:Reza Alavi is currently conducting his research in the School of Architecture, Computing and Engineering (ACE) in the University of East London. His research topic is: “Modeling a Human-Centric Approach For An Effective Information Security Management System (ISMS) – British Financial Institutions Perspective”. His research interests are the role of people and organizations in Information Security Management System (ISMS) with special interest in Information Assurance (IA). Reza has been working in various IT and business management positions such as Networking, IT Audit, and Sales and Marketing Management for the last 23 years.

Editor’s Note:The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.